CVE-2023-40314: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 17, 2023 (updated November 27, 2023)

Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer

Meridian and Horizon installation instructions state that they are intended for installation within an organization’s private networks and should not be directly accessible from the Internet.

OpenNMS thanks

Moshe Apelbaum

for reporting this issue.

References

github.com/OpenNMS/opennms/pull/6791
github.com/advisories/GHSA-c6xw-hg9q-3c9f
nvd.nist.gov/vuln/detail/CVE-2023-40314
opennms.atlassian.net/browse/NMS-15790

Code Behaviors & Features

Detect and mitigate CVE-2023-40314 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →